最近在配置 matrix synapse 时,才注意到现在配置一个 https 网站已经非常简单,而且 nginx 也非常好用。
1、生成 SSL Letsencript 证书
letsencrypt提供免费的 SSL 证书,并且操作非常简单,命令行下几条命令即可完成。
1.1、安装letsencrpt
首先安装命令行工具:
sudo apt install letsencrypt -y
1.2、生成证书
再使用下面命令即可为zhiqiang.org生成免费的 SSL 证书:
sudo certbot certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email zhang@zhiqiang -d zhiqiang.org
这条命令会显示以下信息:
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/zhiqiang.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/zhiqiang.org/privkey.pem
Your cert will expire on 2020-04-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
生成的证书文件位于文件夹/etc/letsencrypt/live/zhiqiang.org/fullchain.pem下。
另外一种方法,可针对所有子域名有效(注意只对子域名有效,一级域名zhiqiang.org还是要用上面的命令以及证书):
sudo certbot certonly --rsa-key-size 2048 --manual --agree-tos --no-eff-email --email zhang@zhiqiang -d "*.zhiqiang.org"
中间会需要按照提示给域名设置一个 TXT 解析记录,然后会提示:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/zhiqiang.org-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/zhiqiang.org-0001/privkey.pem
Your cert will expire on 2023-06-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
1.3、常见错误
需要注意的是上面命令有可能出现下面的提示:
Problem binding to port 80: Could not bind to IPv4 or IPv6.
字面意思是所需要的 80 端口被占用。但我检查sudo netstat -ap | grep 80并没有发现 80 端口被占用。使用sudo systemctl stop nginx停止nginx后,问题解决,虽然原因仍不明确。
还有一个常见的错误:
Challenge failed for domain zhiqiang.org
http-01 challenge for zhiqiang.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: tcp-lab.com
Type: unauthorized
Detail: 122.51.107.178: Invalid response from
https://dnspod.qcloud.com/static/webblock.html?d=zhiqiang.org:
"<!DOCTYPE html>\n<html>\n\t<head>\n\t\t<meta charset=\"utf-8\"
/>\n\t\t<meta http-equiv=\"X-UA-Compatible\"
content=\"IE=edge,chrome=1\" />\n\t\t<"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
根据提示,打开https://dnspod.qcloud.com/static/webblock.html?d=zhiqiang.org,会提示网站没有备案。这通常是阿里云把网站访问信息给拦截了(即使你自己访问是正常的,原因可能是 DNS 更新延迟等),具体参考https://blog.qiquanji.com/post/246.html。
1.4、设置自动更新证书
letsencript提供的证书有效期只有 90 天,因此需要定期更新证书。可以在服务器添加一个crontab定时任务来处理。由于certbot需要sudo权限,我们需先用sudo -i切换到root用户,然后输入crontab -e,添加下面的定时任务:
10 1 * */2 * certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
添加完毕后exit可以退出root用户。
2、使用 Nginx 配置 HTTPS 站点
有了上面的证书,就可以配置 HTTPS 站点了。nginx 的配置也比以前的 apache 简单多了。
2.1、安装nginx
sudo apt install nginx
安装后的nginx位于/etc/nginx。
2.2、添加站点
直接添加/etc/nginx/sites-enabled/zhiqiang.org文件,关键是ssl_certificate和ssl_certificate_key那两行,注意把后面的文件替换成上面获得的文件的路径:
# 将80端口的http服务转发到443端口https服务。
server {
listen 80;
server_name zhiqiang.org;
return 301 https://$server_name$request_uri;
}
# 配置443端口的https服务
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name zhiqiang.org;
ssl_certificate /etc/letsencrypt/live/zhiqiang.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/zhiqiang.org/privkey.pem;
root /home/zhangzq/blog/ftp;
index index.html index.htm;
location /_matrix {
proxy_pass http://127.0.0.1:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
# 可以配置很多个https服务,使用不同的端口,比如 https://zhiqiang.org:444。
server {
listen 444 ssl;
listen [::]:444 ssl;
server_name zhiqiang.org;
ssl_certificate /etc/letsencrypt/live/zhiqiang.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/zhiqiang.org/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
添加完毕之后执行测试命令:sudo nginx -t,若显示下面结果表示一切正常,如有警告或错误,需根据提示修改,最常见的错误是少写分号:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
2.3、启动nginx
下面命令可启动nginx:
sudo systemctl start nginx
下面命令可让系统在开机时自动启动:
sudo systemctl enable nginx
其它相关的还有重启:sudo systemctl restart nginx,以及停止:sudo systemctl stop nginx。
Q. E. D.
